ServiceNow Multi-Factor Authentication Solutions for Australian Information Security Manual Maturity Level 2 Compliance

Executive Summary

As organisations across Australia accelerate their digital transformation initiatives, ensuring robust security measures while maintaining compliance with the Australian Information Security Manual (ISM) has become paramount. This white paper explores how ServiceNow's comprehensive multi-factor authentication (MFA) capabilities enable organisations to meet Maturity Level 2 requirements outlined by the Australian Signals Directorate (ASD) in the ISM, while enhancing overall security posture and user experience. Additionally, we examine how these solutions align with the ASD's Essential Eight mitigation strategies, providing a more comprehensive approach to cybersecurity compliance in the Australian context.

Introduction

The Australian Information Security Manual, developed by the Australian Signals Directorate, provides a framework of controls to help organisations protect their information and systems from cyber threats. The ISM adopts a risk-based approach to information security and outlines different maturity levels for implementation. Maturity Level 2 represents a significant step towards robust security practices, with phishing-resistant MFA being a critical component of this maturity level.

This white paper provides a detailed analysis of how ServiceNow's MFA solutions align with ISM Maturity Level 2 requirements and support the Essential Eight mitigation strategies, offering organisations a path to compliance while optimising their ServiceNow implementation.

Understanding ISM Maturity Level 2 MFA Requirements

At Maturity Level 2, the Australian ISM emphasises the implementation of phishing-resistant multi-factor authentication as a critical security control. Key requirements include:

1. Authentication factors: Implementation of at least two authentication factors from different categories:
   • Something you know (passwords, PINs)
   • Something you have (smart cards, security tokens)
   • Something you are (biometrics)
2. Phishing resistance: Implementation of phishing-resistant MFA methods that cannot be easily intercepted or replicated by threat actors.
3. Risk-based application: Application of MFA for accessing systems with sensitive information or privileged accounts.
4. Integration capabilities: Ability to integrate with existing identity management systems.
5. Usability and security balance: Implementation that balances security requirements with user experience.
6. Auditability: Comprehensive logging and monitoring of authentication activities.

Phishing-Resistant MFA: A Critical Requirement for Maturity Level 2

Understanding Phishing Vulnerabilities in Traditional MFA

Not all MFA methods provide equal protection against sophisticated phishing attacks. It's crucial to understand which methods meet the phishing-resistance requirements of ISM Maturity Level 2:

Non-Phishing-Resistant Methods:

• Time-based One-Time Passwords (TOTP): Despite their widespread use, TOTP codes generated by authenticator apps can be compromised in real-time phishing attacks where attackers capture and replay codes.
• SMS/Email One-Time Passwords (OTP): These methods are vulnerable to interception, SIM swapping attacks, and real-time phishing, where attackers capture and use codes before they expire.
• Push notifications without cryptographic verification: Basic push notifications that don't implement cryptographic binding to the original request can be spoofed or subject to "MFA fatigue" attacks.

Phishing-Resistant Methods:

• FIDO2/WebAuthn: Uses public key cryptography and origin binding to ensure authentication requests are coming from legitimate sources.
• Hardware security keys: Physical devices that implement cryptographic protocols to verify both the user and the service.
• PKI-based smart cards: Certificate-based authentication that binds the authentication to specific services.
• Cryptographically signed push notifications: Advanced push systems that cryptographically verify the origin of the authentication request.

ISM Maturity Level 2 Requirements for Phishing Resistance

ISM Maturity Level 2 specifically requires the implementation of phishing-resistant authentication methods, particularly for privileged accounts and access to sensitive information. This requirement recognizes that traditional MFA methods may not sufficiently protect against sophisticated threat actors who can bypass OTP and TOTP mechanisms through real-time phishing techniques.

The Essential Eight and Phishing-Resistant MFA

The Australian Cyber Security Centre's (ACSC) Essential Eight framework (cyber.gov.au/essential-eight) aligns with the ISM on the importance of phishing-resistant MFA:

MFA as an Essential Eight Strategy

Multi-factor authentication is identified as a critical control within the Essential Eight framework, with higher maturity levels requiring phishing-resistant implementations:

• Maturity Level One: Basic MFA implementation for privileged users
• Maturity Level Two: Requires stronger authentication mechanisms with some phishing resistance
• Maturity Level Three: Mandates phishing-resistant MFA solutions, such as hardware security keys, for all privileged access

ServiceNow MFA Solutions Overview

ServiceNow provides several MFA options that enable organisations to meet ISM Maturity Level 2 requirements while maintaining operational efficiency:

1. ServiceNow Native MFA

ServiceNow's platform includes built-in MFA capabilities with varying levels of phishing resistance:

Standard Methods (Not Phishing-Resistant):

• Time-based One-Time Password (TOTP): Integration with authenticator apps like Google Authenticator, Microsoft Authenticator, and Authy.
• Email-based verification: One-time codes sent to registered email addresses.
• SMS-based verification: One-time codes sent to registered mobile numbers.
• Basic push notifications: Simple approval requests sent to mobile devices.

Phishing-Resistant Methods:

• WebAuthn/FIDO2 Support: Integration with standards-based phishing-resistant authentication using security keys and platform authenticators.
• Enhanced push notifications: Cryptographically secured push notifications with origin verification.

2. Integration with Third-Party Identity Providers

ServiceNow supports integration with leading identity providers that offer phishing-resistant MFA:

• SAML 2.0 integration with phishing-resistant options: Delegate authentication to identity providers that support FIDO2 and other phishing-resistant methods.
• OAuth and OpenID Connect with enhanced security: Support for modern authentication protocols with additional security features.

3. Specific Third-Party MFA Solutions

ServiceNow has established partnerships with leading MFA solution providers offering phishing-resistant options:

• Microsoft Azure AD: Integration with Azure AD Conditional Access and phishing-resistant MFA capabilities, including FIDO2 security keys.
• Okta: Support for Okta's adaptive MFA solutions with FIDO2 options.
• Duo Security: Integration with Duo's comprehensive MFA platform, including WebAuthn support.
• YubiKey and other FIDO2 authenticators: Support for physical security keys that provide strong phishing resistance.

Implementing Phishing-Resistant MFA in ServiceNow to Meet ISM Maturity Level 2

Recommended Phishing-Resistant Solutions for Maturity Level 2

To achieve ISM Maturity Level 2 compliance, organizations should implement the following phishing-resistant MFA options in their ServiceNow environments:

1. FIDO2/WebAuthn Authentication:
   • Configure ServiceNow to support security keys and platform authenticators
   • Enable biometric verification where supported by end-user devices
   • Implement proper device registration and management procedures
2. Third-Party Identity Provider Integration with Phishing-Resistant Options:
   • Configure federation with identity providers that support FIDO2
   • Ensure proper security assertion validation
   • Implement appropriate session management
3. Hardware Security Key Deployment:
   • Distribute FIDO2-compatible security keys to privileged users
   • Implement backup and recovery procedures
   • Provide training on proper usage

Addressing Legacy System Challenges

For systems and interfaces that cannot support phishing-resistant methods directly:

1. Compensating Controls:
   • Implement IP restrictions and network segmentation
   • Enhance monitoring and anomaly detection
   • Apply time-based access restrictions
2. Staged Implementation Approach:
   • Begin with privileged accounts and the highest-risk applications
   • Gradually extend coverage across the organization
   • Maintain clear documentation of exceptions and associated risk mitigations

Mapping ServiceNow MFA Capabilities to ISM Maturity Level 2 and Essential Eight Requirements

ISM Requirement 1 & Essential Eight Alignment: Multi-category Authentication Factors

ServiceNow supports authentication factors across all three categories:

• Something you know: Username/password combinations as the first factor.
• Something you have: Support for FIDO2 security keys, mobile-based authenticator apps, email or SMS verification codes, and hardware tokens through third-party integrations.
• Something you are: Biometric authentication support through FIDO2 platform authenticators and device-level biometrics.

ISM Requirement 2: Phishing Resistance

ServiceNow enables phishing-resistant MFA through:

• FIDO2/WebAuthn support: Implementation of cryptographically secure, origin-bound authentication that resists phishing attempts.
• Hardware security key integration: Support for physical security keys that verify both the user and the service.
• Cryptographic binding: Ensuring authentication responses cannot be intercepted or replayed.

ISM Requirement 3 & Essential Eight Alignment: Risk-based Application

ServiceNow allows granular control over MFA implementation:

• Role-based MFA enforcement: Apply stronger, phishing-resistant MFA requirements for privileged roles.
• Conditional MFA: Trigger additional authentication based on contextual factors such as location, device, and access patterns.
• Privileged access management: Special phishing-resistant MFA requirements for administrative accounts and privilege escalation scenarios.

ISM Requirement 4: Integration Capabilities

ServiceNow provides robust integration options:

• Enterprise IAM integration: Seamless integration with existing identity and access management infrastructures supporting phishing-resistant methods.
• Directory services: Integration with LDAP and Active Directory services.
• Federation services: Support for federated identity models through SAML and OAuth/OIDC with enhanced security configurations.

ISM Requirement 5: Usability and Security Balance

ServiceNow's MFA implementation prioritises both security and user experience:

• Session management: Configurable session timeouts and re-authentication requirements.
• Streamlined FIDO2 experience: Fast, passwordless authentication options that improve both security and usability.
• Self-service capabilities: User-friendly interfaces for managing MFA settings and recovery options.

ISM Requirement 6 & Essential Eight Alignment: Auditability

ServiceNow provides comprehensive logging and monitoring capabilities:

• Authentication event logging: Detailed logs of all authentication attempts, including success and failure events.
• MFA method tracking: Visibility into which authentication methods are being used across the organization.
• Real-time monitoring: Capabilities to detect and alert on suspicious authentication activities.
• Compliance reporting: Pre-built reports to demonstrate compliance with ISM requirements and Essential Eight maturity levels.

Complementary Essential Eight Controls in ServiceNow

Beyond MFA, ServiceNow supports other Essential Eight strategies that complement authentication security:

1. Application Control: ServiceNow's platform security helps prevent the execution of unapproved applications.
2. Patch Applications: ServiceNow's Vulnerability Response module helps manage the patching process.
3. Configure Microsoft Office Macro Settings: ServiceNow's CMDB and configuration management capabilities support tracking macro settings across the organisation.
4. User Application Hardening: ServiceNow helps manage application configurations and security settings.
5. Restrict Administrative Privileges: ServiceNow's role-based access control complements phishing-resistant MFA in securing privileged accounts.
6. Patch Operating Systems: ServiceNow's IT Operations Management suite supports comprehensive patching workflows.
7. Daily Backups: ServiceNow's Business Continuity Management supports backup strategy implementation and verification.

Implementation Considerations for ISM Maturity Level 2 and Essential Eight Compliance

Assessment and Planning

1. Current state assessment: Evaluate existing authentication mechanisms, identifying which ones meet phishing-resistance requirements.
2. Risk assessment: Identify systems and data requiring phishing-resistant MFA protection.
3. User impact analysis: Assess the impact of implementing phishing-resistant MFA on various user groups and develop appropriate training plans.
4. Essential Eight maturity level targeting: Determine which Essential Eight maturity level is appropriate for your organisation based on risk profile.

Technical Implementation

1. Authentication method selection: Choose appropriate phishing-resistant MFA methods based on security requirements and user contexts.
2. Phased rollout: Implement phishing-resistant MFA in phases, starting with high-privilege accounts (as required by Essential Eight) and gradually expanding to all users.
3. Integration configuration: Configure necessary integrations with existing identity providers that support phishing-resistant authentication methods.
4. Legacy system strategies: Develop approaches for systems that cannot directly support phishing-resistant methods.

Policy Development

1. MFA policy documentation: Develop comprehensive policies outlining phishing-resistant MFA requirements, exemptions, and enforcement.
2. Recovery procedures: Establish clear guidelines for account recovery when MFA devices are lost or unavailable.
3. Compliance validation: Define processes for regularly validating MFA compliance across the ServiceNow environment.
4. Essential Eight alignment documentation: Map MFA configurations to specific Essential Eight requirements for audit purposes.

Best Practices for Phishing-Resistant MFA Implementation in ServiceNow

1. Defence in depth: Consider phishing-resistant MFA as one component of a comprehensive security strategy aligned with all Essential Eight controls.
2. User education: Provide clear guidance and training on phishing awareness and proper use of security keys and other phishing-resistant methods.
3. Backup authentication methods: Establish secure backup authentication procedures for cases where primary methods are unavailable.
4. Regular testing: Conduct periodic testing of MFA mechanisms to ensure continued effectiveness against evolving phishing techniques.
5. Continuous improvement: Regularly review and update MFA configurations to address emerging threats.
6. Essential Eight alignment: Use the Essential Eight maturity model as a roadmap for progressive enhancement of security controls.

Conclusion

ServiceNow's diverse multi-factor authentication options, particularly its phishing-resistant capabilities, provide organisations with the flexibility and security needed to meet Australian Information Security Manual Maturity Level 2 requirements and Essential Eight recommendations effectively. By implementing phishing-resistant MFA through ServiceNow, organisations can significantly enhance their security posture against sophisticated attacks, comply with regulatory requirements, and provide a secure yet user-friendly experience.

As cyber threats continue to evolve in sophistication, phishing-resistant multi-factor authentication remains a critical control for protecting sensitive information and systems, as recognised by both the ISM and the Essential Eight framework. ServiceNow's robust MFA capabilities, combined with its comprehensive platform for digital transformation, position organisations to achieve both security and operational excellence while meeting Australian cybersecurity compliance requirements.

For more information on the Essential Eight, visit the Australian Cyber Security Centre's website at cyber.gov.au/essential-eight, which provides detailed implementation guidance across all maturity levels.